Top Ten—RMF “Lessons Learned”

By Lon J. Berman, CISSP  BAI Information Security

I recently had the pleasure of consulting for a DoD program that successfully navigated the RMF process and received a full three year Authorization to Operate (ATO).

In lieu of … or in addition to … a victory party, the team decided it would be productive to conduct an After-Action Review.

This edition of the RMF Top Ten highlights some of their “lessons learned” in the area of Project and Resource Management.

10. Assign writers/owners for controls and CCIs as soon as categorization is complete and controls are identified.

9. Develop a tracking mechanism early to track progress of CCI completion.

8. Establish a common approach to addressing controls for the entire program – writing styles can vary widely.

7. Establish roles and responsibilities, and do NOT underestimate the time required to prepare documentation, process, and input into eMASS.

6. Establish weekly meetings to track progress and raise issues. Track action items to completion.

5. Encourage team members to receive training in the RMF process itself (in addition to training on the eMASS tool).

4. Establish roles and responsibilities, and do NOT underestimate the time required to prepare documentation, process, and input into eMASS.

3. Project Manager and ISSO must understand RMF and ATO process completely, stay abreast of progress, and meet with the System Owner regularly (recommend weekly) on status, risks, and mitigation strategies.

2. Assign a full-time ISSO and include in this role in program budgeting processes, if not already included.

1. Assign a Project Manager to track performance in terms of scope, cost, and schedule. Based on required documentation and updates, etc., build a master schedule and use it to track progress.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.